There are "multiple" online services and JavaScript code
available which uses WebRTC function. Even if you are using VPN's or
Privacy based browsers it leaks your actual public and private IP
address.

I think this is more of a privacy issue
rather than security if we talk specifically in browser based bug
bounty, however such information can help attacker to do further
recon/attack if they are in same network.

Don't forget Facebook even they have Webkits and it is vulnerable too.Facebook Team says :Hi Dhiraj,

Thank
you for your report. We've looked into your finding but determined the
information being leaked is not sensitive enough to warrant a bounty. We
may consider leakage of a victims referrer header, but it would have to
display a full and potentially sensitive path. However we have
protections in place which prevent this from happening. Although this
finding doesn't qualify we still appreciate your time and effort sending
it in.

Okay if your an android lover, you would be
aware with android webkit though, The android webkit also leaks IP
address as well, I tested this on Nokia 8 android 8.1.0 and the issue
still exists.

Android Team says:

The
Android security team has conducted an initial severity assessment on
this report. Based on our published severity assessment matrix (1) it
was rated as not being a security vulnerability that would meet the
severity bar for inclusion in an Android security bulletin.

Pheewww ! then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+ download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it
leaks your IP address, I reported the same to DD Go Security Team.Duck Duck Go Team says:Hi again Dhiraj,

Thank you for trying out the new browser and for sending this report,including the security team. They're currently looking into this andI'll let you know if any further information is needed.

There's a similar discussion in the Firefox Focus for Android repositoryon GitHub, so we'll keep an eye on that too:https://github.com/mozilla-mobile/focus-android/issues/609
Hmmmm cool, then CVE-2018-6849 was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched

Then I thought of creating module for this, many thanks to Brendan Coles
who helped me in this and even suggested this can be used has a
functionality to a HTTP library would be more useful, as it could be
leveraged by existing exploits and info gathering modules.

Working of my MSF Module on DuckDuck Go Privacy Browser

In between RageLtMan also gave his thoughts that "I could actually see a benefit to this being in lib for use by things like #8648.
I can inject the separate script ref in the response via the MITM
mechanism, but would be cool to just generate and serve the JS directly
(for any script we think will have more than 2 weeks of lifetime in
browsers). Thanks for the PR"

Outcome:
So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849,
which gave rise to Metasploit module, which will inturn became a part of
MSF library, now that's cool. Hope you like the read......